Resolving alerts from secret scanning

Fixing alerts

Once a secret has been committed to a repository, you should consider the secret compromised. GitHub recommends the following actions for compromised secrets:

• Verify that the secret committed to GitHub is valid. Applies to GitHub tokens only. See Checking a secret's validity.See Performing an on-demand validity check.
• For secrets detected in private repositories, report the leaked secret to GitHub, who will treat it like any publicly leaked secret and revoke it. Applies to GitHub personal access tokens only. See Reporting a leaked secret.
• Review and update any services that use the old token. For GitHub personal access tokens, delete the compromised token and create a new token. See Administración de tokens de acceso personal.
• Depending on the secret provider, check your security logs for any unauthorized activity.

Reporting a leaked secret

If a secret is detected in a public repository on GitHub and the secret also matches a supported partner pattern, the potential secret is automatically reported to the service provider. For details of all supported partner patterns, see Supported secret scanning patterns.

For secrets detected in private repositories, anyone who can view alertas de examen de secretos for a repository can choose to report the privately exposed secret directly to GitHub.

By reporting the secret, the token provider will treat the privately exposed secret as if it had been publicly leaked. This means the token provider may revoke the secret, so you should first consider reviewing and updating any services that use the secret. If possible, you should also consider notifying the token owner before reporting the token, so that the token owner is aware that the secret may get revoked.

You will only see the option to report a privately exposed secret to GitHub if the following conditions are met:

• The secret is a GitHub personal access token.
• The secret's validity has not been confirmed, or the secret's validity has been confirmed as active.

1. En GitHub, navegue hasta la página principal del repositorio.

2. Debajo del nombre del repositorio, haz clic en Security. Si no puedes ver la pestaña "Security", selecciona el menú desplegable y, después, haz clic en Security.

   

3. In the left sidebar, under "Vulnerability alerts", click Secret scanning.

4. From the alert list, click the alert you want to view.

5. In the alert view for the leaked secret, click Report leak.

   Nota:

   In order to prevent breaking workflows, consider first rotating the secret before continuing, as disclosing it could lead to the secret being revoked. If possible, you should also reach out to the token owner to let them know about the leak and coordinate a remediation plan.

6. Review the information in the dialog box, then click I understand the consequence, report this secret.

Closing alerts

1. En GitHub, navegue hasta la página principal del repositorio.

2. Debajo del nombre del repositorio, haz clic en Security. Si no puedes ver la pestaña "Security", selecciona el menú desplegable y, después, haz clic en Security.

   

3. In the left sidebar, under "Vulnerability alerts", click Secret scanning.

4. Under "Secret scanning", click the alert you want to view.

5. To dismiss an alert, select the "Close as" dropdown menu and click a reason for resolving an alert.

   

6. Optionally, in the "Comment" field, add a dismissal comment. The dismissal comment will be added to the alert timeline and can be used as justification during auditing and reporting. You can view the history of all dismissed alerts and dismissal comments in the alert timeline. You can also retrieve or set a comment by using the Secret scanning API. The comment is contained in the resolution_comment field. For more information, see Puntos de conexión de la API REST para el examen de secretos in the REST API documentation.

7. Click Close alert.

Next steps

• Monitoring alerts from secret scanning